WO2019136953A1 - Procédé, dispositif, appareil et support de détection de réseau zombie fondée sur l'analyse de noms de domaine c&c - Google Patents

Procédé, dispositif, appareil et support de détection de réseau zombie fondée sur l'analyse de noms de domaine c&c Download PDF

Info

Publication number
WO2019136953A1
WO2019136953A1 PCT/CN2018/096107 CN2018096107W WO2019136953A1 WO 2019136953 A1 WO2019136953 A1 WO 2019136953A1 CN 2018096107 W CN2018096107 W CN 2018096107W WO 2019136953 A1 WO2019136953 A1 WO 2019136953A1
Authority
WO
WIPO (PCT)
Prior art keywords
domain name
botnet
domain
legal
category
Prior art date
Application number
PCT/CN2018/096107
Other languages
English (en)
Chinese (zh)
Inventor
杜明
涂大志
王新成
Original Assignee
深圳市联软科技股份有限公司
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 深圳市联软科技股份有限公司 filed Critical 深圳市联软科技股份有限公司
Publication of WO2019136953A1 publication Critical patent/WO2019136953A1/fr

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L61/00Network arrangements, protocols or services for addressing or naming
    • H04L61/45Network directories; Name-to-address mapping
    • H04L61/4505Network directories; Name-to-address mapping using standardised directories; using standardised directory access protocols
    • H04L61/4511Network directories; Name-to-address mapping using standardised directories; using standardised directory access protocols using domain name system [DNS]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1416Event detection, e.g. attack signature detection
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1425Traffic logging, e.g. anomaly detection

Definitions

  • the present invention relates to the field of network security technologies, and in particular, to a botnet detection method, apparatus, device and medium based on C&C domain name analysis.
  • Botnet refers to the attacker or controller (Botmaster) propagating bots to control a large number of hosts, and through a network of one-to-many command and control channels, to achieve "send control commands to the controlled computer, indicating parasitic The purpose of the Trojan to perform a predetermined malicious action.
  • the controlled computer is called a broiler or zombie host or a bot for short, and Figure 1 is a botnet structure diagram.
  • botnet detection technologies mainly include: IDS (Instruction Detection System), honeypot technology and network traffic analysis.
  • IDS Intrusion Detection System
  • IDS Instruction Detection System
  • Honeypot technology seduce attacks by deliberately arranging the targets being attacked. Once an attacker invades, it can track how the attacks are implemented, analyze the connections between the attackers, and obtain their social networks.
  • honeypot technology requires a lot of deployment and is easily controlled as an attack springboard.
  • Network traffic analysis The research idea of network traffic is to analyze the behavior characteristics of zombie hosts in Botnet based on Internet Relay Chat (IRC) protocol, and classify zombie hosts into two categories: long-term stagnation and fast-joining. Specifically, there are three obvious behavioral characteristics of the zombie host in Botnet. One is a bot that spreads through the worm, and a large number of computers infected by it will join the same IRC Server in a short time; Second, the zombie host will generally be online for a long time; the third is that the zombie host acts as an IRC chat user, and does not speak for a long time in the chat channel, and remains idle. Traffic analysis can find some zombie hosts, but most of the malicious domain names randomly generated by the Command and Control server (C&C server) fail to generate traffic and random operation status of the network. It is difficult to lock the entire Internet in time and accurately. Zombie host, locate botnet.
  • C&C server Command and Control server
  • the existing botnet monitoring technology can not capture the attack behavior in time, lock the zombie host and locate the botnet.
  • the technical problem to be solved by the present application is to provide a botnet detection method, device, device and medium based on C&C domain name analysis, and analyze the domain name system (DNS) log record to extract the C&C domain name used by the attack activity, and then Analyze the type of parasitic Trojan, lock the zombie host controlled by the C&C server, and analyze the trend of botnet activity by analyzing the Poisson parameters generated by each type of C&C domain name to achieve timely and effective suppression measures.
  • DNS domain name system
  • the embodiment of the present application provides a botnet detection method based on C&C domain name analysis, including:
  • the domain name analysis step detects the C&C domain name in the DNS log record according to the pre-built domain name analyzer, and determines the category of each C&C domain name;
  • the botnet determination step determines whether a botnet exists based on the category of the C&C domain name and the C&C domain name.
  • the method further comprises:
  • Data statistics step counting the frequency of occurrence of each type of C&C domain name
  • the trend judgment step determines the activity trend of the botnet based on the frequency of occurrence of all categories of C&C domain names to assist in the timely development of effective suppression measures.
  • the trend determining step comprises:
  • the training process of the domain name analyzer comprises:
  • the domain name analyzer is trained according to the legal domain name training sample set, the C&C domain name training sample set, and the character probability dictionary.
  • the domain name analyzer is a neural network model based on a cumulative BP algorithm, and a regularization term that comprehensively considers an empirical error factor and a network complexity factor is provided in the neural network model.
  • the calculating step of the neural network model based on the cumulative BP algorithm comprises:
  • the stochastic gradient descent parameter is used to approximate the global minimum solution of the error function.
  • the domain name analysis step comprises:
  • the category of the C&C domain name is determined based on the classification number.
  • the embodiment of the present application provides a botnet detection apparatus based on C&C domain name analysis, including:
  • An information obtaining unit configured to acquire a DNS log record
  • a domain name analyzing unit configured to detect a C&C domain name in the DNS log record according to a pre-built domain name analyzer, and determine a category of each C&C domain name
  • the botnet determining unit is configured to determine whether a botnet exists according to the category of the C&C domain name and the C&C domain name.
  • the method further comprises:
  • the trend judging unit is configured to determine an activity trend of the botnet according to the frequency of occurrence of all categories of C&C domain names, so as to assist in formulating effective suppression measures in time.
  • the trend judging unit is configured to substitute the frequency of occurrence of each type of C&C domain name into a Poisson distribution probability function to obtain a Poisson parameter corresponding to the category; and determine all the Poisson parameters as a measure of botnet activity.
  • An indicator determining an activity trend of the botnet according to the metric of the botnet activity rule.
  • the training process of the domain name analyzer includes:
  • the domain name analyzer is a calculation of a neural network model based on a cumulative BP algorithm, and a regularization term that comprehensively considers an empirical error factor and a network complexity factor is provided in the neural network model.
  • the domain name analyzing unit is configured to:
  • an embodiment of the present application provides a computer device, including: at least one processor, at least one memory, and computer program instructions stored in a memory, which are implemented when the computer program instructions are executed by the processor. The method of the first aspect.
  • an embodiment of the present application provides a computer readable storage medium having stored thereon computer program instructions that, when executed by a processor, implement the method of the first aspect of the above embodiments.
  • the botnet detection method, device, device and medium based on C&C domain name analysis analyzes the domain name system (DNS) log record, extracts the C&C domain name used by the attack activity, and analyzes the type of the parasitic Trojan. Lock the zombie host controlled by the C&C server.
  • DNS domain name system
  • analyze the trend of botnet activity by analyzing the Poisson parameters generated by each type of C&C domain name, so as to implement effective suppression measures in time.
  • the frequency of occurrence of the C&C domain name and the Poisson parameter can be analyzed, and the trend of the botnet activity can be obtained, thereby facilitating the formulation of effective suppression measures.
  • FIG. 1 is a structural diagram of a botnet in the prior art provided by the present invention.
  • FIG. 2 is a flowchart of a botnet detection method based on C&C domain name analysis according to an embodiment of the present invention
  • FIG. 3 is still another flowchart of a botnet detection method based on C&C domain name analysis according to an embodiment of the present invention
  • FIG. 5 is a block diagram of a botnet detecting apparatus based on C&C domain name analysis according to an embodiment of the present invention
  • FIG. 6 is a schematic structural diagram of hardware of a computer device according to an embodiment of the present invention.
  • the botnet detection method based on C&C domain name analysis includes:
  • the information acquisition step S1 acquires a DNS log record
  • the domain name analysis step S2 detects the C&C domain name in the DNS log record according to the pre-built domain name analyzer, and determines the category of each C&C domain name;
  • the botnet determines step S3 to determine whether a botnet exists based on the C&C domain name and the category of the C&C domain name.
  • the botnet detection method based on C&C domain name analysis analyzes the domain name system (DNS) log record, extracts the C&C domain name used by the attack activity, analyzes the type of the parasitic Trojan, and locks the C&C server to control. Zombie host.
  • DNS domain name system
  • the format of the DNS log record is as shown in Table 1.
  • the domain name analysis is performed, and the domain name detection result as shown in Table 2 can be obtained, and in the domain name detection result, the C&C domain names belonging to the same category are counted in chronological order. .
  • the domain name analyzer in this embodiment can recognize 28 kinds of C&C domain names such as banjori.
  • the method further includes:
  • Data statistics step S4 counting the frequency of occurrence of each type of C&C domain name
  • the trend judging step S5 determines the activity trend of the botnet according to the frequency of occurrence of all categories of C&C domain names, so as to assist in formulating effective suppression measures in time.
  • the trend determining step S5 includes:
  • the zombie host requests a large number of new C&C domain names, most of which fail to resolve;
  • the C&C server domain name occurrence frequency satisfies the Poisson distribution.
  • the C&C domain name detection model judges the records extracted from the DNS logs, counts the number of times of occurrence of similar C&C domain name units, and substitutes the Poisson distribution probability function to estimate the Poisson parameter ⁇ for a certain period of time.
  • the Poisson distribution probability function is as follows:
  • the Poisson parameter is determined as a measure of botnet activity regularity
  • Table 3 is an analysis of the botnet activity trend.
  • any unit time can be used as the statistical period, and the average frequency is the number of C&C domain names captured in the current period of the period.
  • the zombie host IP address, MAC address
  • targeted suppression measures can be formulated in a timely manner.
  • the training process of the domain name analyzer includes:
  • the domain name analyzer is trained according to the legal domain name training sample set, the C&C domain name training sample set, and the character probability dictionary.
  • 1495163 legal domain names are published as valid domain names for websites published by Alexa and the like, and C&C domain names are obtained by using the public DGA (Domain Generated Algorithm) algorithm.
  • DGA Domain Generated Algorithm
  • Pseudo-random means that the string sequence seems to be random, but since its structure can be predetermined, it can be repeated and copied. This algorithm is often used in malware as well as remote control software.
  • the domain name characteristics are as shown in Table 4.
  • the domain name analyzer is a neural network model based on the cumulative BP algorithm, and the regularization term considering the empirical error factor and the network complexity factor is set in the neural network model.
  • the calculation steps of the neural network model based on the cumulative BP algorithm include: calculating the error objective function; describing the complexity of the neural network; estimating the model parameters by the cross-validation method; and using the stochastic gradient descent parameter to approximate the global minimum solution of the error function.
  • an n-gram (uni-gram, bi-gram, tri-gram) character probability dictionary is established by using 1495163 legal domain names obtained by cleaning.
  • the legal domain name is the same as all kinds of C&C domain names, and 1000 samples are randomly selected as the training sample set, and the cumulative BP algorithm is used.
  • the part describing the complexity of the neural network is added to the error objective function, and the model parameters are estimated by the cross-validation method.
  • the gradient descent adjusts the global minimum solution of the error function.
  • the regularization term is added in the BP algorithm training model process, and the empirical error and the network complexity are compromised, and the over-fitting can be effectively controlled.
  • the domain name analysis step S2 includes: extracting a domain name in the DNS log record; performing feature extraction on the domain name; determining whether the domain name is a C&C domain name according to the character probability dictionary; and performing domain name feature quantification on the C&C domain name To obtain the classification number of the C&C domain name; determine the category of the C&C domain name according to the classification number.
  • a botnet detection apparatus based on C&C domain name analysis provided by an embodiment of the present invention includes:
  • the information obtaining unit 1 is configured to acquire a DNS log record.
  • the domain name analyzing unit 2 is configured to detect a C&C domain name in the DNS log record according to a pre-built domain name analyzer, and determine a category of each C&C domain name;
  • the botnet determining unit 3 is configured to determine whether a botnet exists according to the category of the C&C domain name and the C&C domain name.
  • the botnet detection device based on the C&C domain name analysis provided by the embodiment of the present invention analyzes the domain name system (DNS) log record, extracts the C&C domain name used by the attack activity, analyzes the type of the parasitic Trojan, and locks the C&C server. Zombie host.
  • DNS domain name system
  • the format of the DNS log record is as shown in Table 1.
  • the domain name analysis is performed, and the domain name detection result as shown in Table 2 can be obtained, and in the domain name detection result, the C&C domain names belonging to the same category are counted in chronological order. .
  • the domain name analyzer in this embodiment can recognize 28 kinds of C&C domain names such as banjori.
  • the method further includes:
  • the data statistics unit 4 is configured to count the frequency of occurrence of each type of C&C domain name
  • the trend judging unit 5 is configured to determine the activity trend of the botnet according to the frequency of occurrence of all categories of C&C domain names, so as to assist in formulating effective suppression measures in time.
  • the trend judging unit 5 is specifically configured to:
  • the zombie host requests a large number of new C&C domain names, most of which fail to resolve;
  • the C&C server domain name occurrence frequency satisfies the Poisson distribution.
  • the C&C domain name detection model judges the records extracted from the DNS logs, counts the number of times of occurrence of similar C&C domain name units, and substitutes the Poisson distribution probability function to estimate the Poisson parameter ⁇ for a certain period of time.
  • the Poisson distribution probability function is as follows:
  • the Poisson parameter is determined as a measure of botnet activity regularity
  • Table 3 is an analysis of the botnet activity trend.
  • any unit time can be used as the statistical period, and the average frequency is the number of C&C domain names captured in the current period of the period.
  • the zombie host IP address, MAC address
  • targeted suppression measures can be formulated in a timely manner.
  • the training process of the domain name analyzer includes:
  • the domain name analyzer is trained according to the legal domain name training sample set, the C&C domain name training sample set, and the character probability dictionary.
  • 1,495,163 legal domain names are published as valid domain names for websites published by Alexa and the like, and C&C domain names are obtained by using the public DGA algorithm.
  • DGA is a domain name generation algorithm, and an attacker can use it to generate a pseudo-random string used as a domain name, so that the detection of the blacklist can be effectively avoided.
  • Pseudo-random means that the string sequence seems to be random, but since its structure can be predetermined, it can be repeated and copied. This algorithm is often used in malware as well as remote control software.
  • the domain name characteristics are as shown in Table 4.
  • the domain name analyzer is a calculation of a neural network model based on the cumulative BP algorithm, and the regularization term that comprehensively considers the empirical error factor and the network complexity factor is set in the neural network model.
  • the calculation steps of the neural network model based on the cumulative BP algorithm include: calculating the error objective function; describing the complexity of the neural network; estimating the model parameters by the cross-validation method; and using the stochastic gradient descent parameter to approximate the global minimum solution of the error function.
  • an n-gram (uni-gram, bi-gram, tri-gram) character probability dictionary is established by using 1495163 legal domain names obtained by cleaning.
  • the legal domain name is the same as all kinds of C&C domain names, and 1000 samples are randomly selected as the training sample set, and the cumulative BP algorithm is used.
  • the part describing the complexity of the neural network is added to the error objective function, and the model parameters are estimated by the cross-validation method.
  • the gradient descent adjusts the global minimum solution of the error function.
  • the feature is extracted according to the name character of the registration domain.
  • the regularization term is added to the BP algorithm training model to compromise the empirical error and network complexity, and the over-fitting can be effectively controlled.
  • the domain name analyzing unit 2 is specifically configured to: extract a domain name in the DNS log record; perform feature extraction on the domain name; determine whether the domain name is a C&C domain name according to the character probability dictionary; and perform a domain name on the C&C domain name. Feature quantification to obtain the classification number of the C&C domain name; the category of the C&C domain name is determined according to the classification number.
  • FIG. 6 is a schematic diagram showing the hardware structure of a computer device according to an embodiment of the present invention.
  • a computer device implementing a botnet detection method based on C&C domain name analysis may include a processor 401 and a memory 402 storing computer program instructions.
  • the processor 401 may include a central processing unit (CPU), or an application specific integrated circuit (ASIC), or may be configured to implement one or more integrated circuits of the embodiments of the present invention. .
  • CPU central processing unit
  • ASIC application specific integrated circuit
  • Memory 402 can include mass storage for data or instructions.
  • the memory 402 can include a Hard Disk Drive (HDD), a floppy disk drive, a flash memory, an optical disk, a magneto-optical disk, a magnetic tape, or a Universal Serial Bus (USB) drive, or two or more. A combination of more than one of these.
  • Memory 402 may include removable or non-removable (or fixed) media, where appropriate.
  • Memory 402 may be internal or external to the data processing device, where appropriate.
  • memory 402 is a non-volatile solid state memory.
  • memory 402 includes a Read-Only Memory (ROM).
  • the ROM may be a mask-programmed ROM, a Programmable Read-only Memory (PROM), an Erasable Programmable ROM (EPROM), or an electrically erasable PROM (Electrically Erasable Programmable).
  • PROM Programmable Read-only Memory
  • EPROM Erasable Programmable ROM
  • PROM Electrically Erasable Programmable
  • EEPROM Electrically rewritable ROM
  • flash memory or a combination of two or more of these.
  • the processor 401 implements any of the above-described embodiments based on the C&C domain name analysis-based botnet detection method by reading and executing the computer program instructions stored in the memory 402.
  • the computer device can also include a communication interface 403 and a bus 410. As shown in FIG. 4, the processor 401, the memory 402, and the communication interface 403 are connected by the bus 410 and complete communication with each other.
  • the communication interface 403 is mainly used to implement communication between modules, devices, units and/or devices in the embodiments of the present invention.
  • Bus 410 includes hardware, software, or both that couples components of the computer device to each other.
  • the bus may include Accelerated Graphic Ports or Advanced Graphic Ports (AGP) or other graphics bus, Enhanced Industry Standard Architecture (EISA) bus, Front Side Bus (Front Side Bus, FSB), HyperTransport (HT) interconnect, Industry Standard Architecture (ISA) bus, infinite bandwidth interconnect, Low Pin Count (LPC) bus, memory bus, microchannel architecture ( MicroChannel Architecture, MCA) Bus, Peripheral Component Interconnect (PCI) bus, PCI-Express (PCI-X) bus, Serial Advanced Technology Attachment (SATA) bus, Video Electronics Standards Association (VESA local bus, VLB) bus or other suitable bus or a combination of two or more of these.
  • Bus 410 may include one or more buses, where appropriate. Although specific embodiments of the present invention are described and illustrated, the present invention contemplates any suitable bus or interconnect.
  • the embodiment of the present invention may be implemented by providing a computer readable storage medium.
  • the computer readable storage medium stores computer program instructions; when the computer program instructions are executed by the processor, the botnet detection method based on the C&C domain name analysis of any of the above embodiments is implemented.
  • the functional blocks shown in the block diagrams described above may be implemented as hardware, software, firmware, or a combination thereof.
  • hardware When implemented in hardware, it can be, for example, an electronic circuit, an application specific integrated circuit (ASIC), suitable firmware, plug-ins, function cards, and the like.
  • ASIC application specific integrated circuit
  • the elements of the present invention are programs or code segments that are used to perform the required tasks.
  • the program or code segments can be stored in a machine readable medium or transmitted over a transmission medium or communication link through a data signal carried in the carrier.
  • a "machine-readable medium” can include any medium that can store or transfer information.
  • machine-readable media examples include electronic circuits, semiconductor memory devices, ROM, flash memory, erasable ROM (EROM), floppy disks, CD-ROMs, optical disks, hard disks, fiber optic media, radio frequency (RF) links, and the like.
  • the code segments can be downloaded via a computer network such as the Internet, an intranet, and the like.
  • the exemplary embodiments referred to in the present invention describe some methods or systems based on a series of steps or devices.
  • the present invention is not limited to the order of the above steps, that is, the steps may be performed in the order mentioned in the embodiment, or may be different from the order in the embodiment, or several steps may be simultaneously performed.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Debugging And Monitoring (AREA)
  • Information Retrieval, Db Structures And Fs Structures Therefor (AREA)

Abstract

La présente invention concerne un procédé, un dispositif, un appareil et un support de détection de réseau zombie fondée sur l'analyse de noms de domaine C&C, le procédé comprenant : une étape d'acquisition d'informations consistant à obtenir un enregistrement de journal DNS ; une étape d'analyse de nom de domaine consistant, au moyen d'un analyseur de nom de domaine préalablement construit, à détecter des noms de domaine C&C dans l'enregistrement de journal DNS, et à déterminer une catégorie à laquelle appartient chaque nom de domaine C&C ; une étape de détermination de réseau zombie consistant à déterminer si un réseau zombie est présent en fonction des noms de domaine C&C et de la catégorie à laquelle appartiennent les noms de domaine C&C. Le procédé, le dispositif, l'appareil et le support de détection de réseau zombie fondée sur l'analyse de noms de domaine C&C selon la présente invention extraient des noms de domaine C&C utilisés pour une activité d'attaque par analyse d'un enregistrement de journal de système de nom de domaine, ce qui permet d'analyser le type de cheval de Troie parasite, de bloquer l'hôte zombie commandé par un serveur C&C, et, en outre, d'utiliser les paramètres de Poisson apparaissant dans l'analyse de chaque type de nom de domaine C&C pour analyser une tendance d'activité de réseau zombie afin d'obtenir un développement chronologique de mesures de suppression efficaces.
PCT/CN2018/096107 2018-01-15 2018-07-18 Procédé, dispositif, appareil et support de détection de réseau zombie fondée sur l'analyse de noms de domaine c&c WO2019136953A1 (fr)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
CN201810036078.7 2018-01-15
CN201810036078.7A CN108156174B (zh) 2018-01-15 2018-01-15 基于c&c域名分析的僵尸网络检测方法、装置、设备及介质

Publications (1)

Publication Number Publication Date
WO2019136953A1 true WO2019136953A1 (fr) 2019-07-18

Family

ID=62461365

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2018/096107 WO2019136953A1 (fr) 2018-01-15 2018-07-18 Procédé, dispositif, appareil et support de détection de réseau zombie fondée sur l'analyse de noms de domaine c&c

Country Status (2)

Country Link
CN (1) CN108156174B (fr)
WO (1) WO2019136953A1 (fr)

Cited By (11)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN112966713A (zh) * 2021-02-02 2021-06-15 杭州安恒信息技术股份有限公司 基于深度学习的dga域名检测方法、装置及计算机设备
CN113158660A (zh) * 2021-04-09 2021-07-23 深圳市联软科技股份有限公司 应用于渗透测试的子域名发现方法及系统
CN113746952A (zh) * 2021-09-14 2021-12-03 京东科技信息技术有限公司 Dga域名检测方法、装置、电子设备及计算机存储介质
CN114257565A (zh) * 2020-09-10 2022-03-29 中国移动通信集团广东有限公司 挖掘潜在威胁域名的方法、系统和服务器
CN114363062A (zh) * 2021-12-31 2022-04-15 深信服科技股份有限公司 一种域名检测方法、系统、设备及计算机可读存储介质
CN114615003A (zh) * 2020-12-07 2022-06-10 中国移动通信有限公司研究院 命令和控制c&c域名的验证方法、装置及电子设备
CN114826758A (zh) * 2022-05-11 2022-07-29 绿盟科技集团股份有限公司 一种针对域名解析系统dns的安全分析方法及装置
CN114866246A (zh) * 2022-04-12 2022-08-05 东莞职业技术学院 基于大数据的计算机网络安全入侵检测方法
CN115134095A (zh) * 2021-03-10 2022-09-30 中国电信股份有限公司 僵尸网络控制端检测方法及装置、存储介质、电子设备
CN115333850A (zh) * 2022-08-26 2022-11-11 中国电信股份有限公司 域名检测方法、系统及相关设备
US11683337B2 (en) * 2020-06-11 2023-06-20 T-Mobile Usa, Inc. Harvesting fully qualified domain names from malicious data packets

Families Citing this family (16)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US11374897B2 (en) 2018-01-15 2022-06-28 Shenzhen Leagsoft Technology Co., Ltd. CandC domain name analysis-based botnet detection method, device, apparatus and medium
CN108156174B (zh) * 2018-01-15 2020-03-27 深圳市联软科技股份有限公司 基于c&c域名分析的僵尸网络检测方法、装置、设备及介质
CN109246074A (zh) * 2018-07-23 2019-01-18 北京奇虎科技有限公司 识别可疑域名的方法、装置、服务器及可读存储介质
CN109246083B (zh) * 2018-08-09 2021-08-03 奇安信科技集团股份有限公司 一种dga域名的检测方法及装置
US10764246B2 (en) * 2018-08-14 2020-09-01 Didi Research America, Llc System and method for detecting generated domain
CN109977221B (zh) * 2018-09-04 2023-09-19 中国平安人寿保险股份有限公司 基于大数据的用户验证方法及装置、存储介质、电子设备
CN110798439B (zh) * 2018-09-04 2022-04-19 国家计算机网络与信息安全管理中心 主动探测物联网僵尸网络木马的方法、设备及存储介质
CN109450845B (zh) * 2018-09-18 2020-08-04 浙江大学 一种基于深度神经网络的算法生成恶意域名检测方法
CN109784049B (zh) * 2018-12-21 2021-04-09 奇安信科技集团股份有限公司 威胁数据处理的方法、设备、系统和介质
CN109617909B (zh) * 2019-01-07 2021-04-27 福州大学 一种基于smote和bi-lstm网络的恶意域名检测方法
CN110149331B (zh) * 2019-05-22 2021-07-06 中国科学院长春光学精密机械与物理研究所 一种P2P botnet检测方法、装置和介质
CN110225030B (zh) * 2019-06-10 2021-09-28 福州大学 基于rcnn-spp网络的恶意域名检测方法及系统
CN112839012B (zh) * 2019-11-22 2023-05-09 中国移动通信有限公司研究院 僵尸程序域名识别方法、装置、设备及存储介质
CN111628970B (zh) * 2020-04-24 2021-10-15 中国科学院计算技术研究所 一种dga型僵尸网络的检测方法、介质和电子设备
CN111953673B (zh) * 2020-08-10 2022-07-05 深圳市联软科技股份有限公司 一种dns隐蔽隧道检测方法及系统
CN112949768A (zh) * 2021-04-07 2021-06-11 苏州瑞立思科技有限公司 一种基于lstm的流量分类方法

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101741862A (zh) * 2010-01-22 2010-06-16 西安交通大学 基于数据包序列特征的irc僵尸网络检测系统和检测方法
CN103152442A (zh) * 2013-01-31 2013-06-12 中国科学院计算机网络信息中心 一种僵尸网络域名的检测与处理方法及系统
CN106453412A (zh) * 2016-12-01 2017-02-22 绵阳灵先创科技有限公司 一种基于频次特征的恶意域名判定方法
WO2017223342A1 (fr) * 2016-06-22 2017-12-28 Ntt Innovation Institute, Inc. Procédé et système de détection de réseau zombie
CN108156174A (zh) * 2018-01-15 2018-06-12 深圳市联软科技股份有限公司 基于c&c域名分析的僵尸网络检测方法、装置、设备及介质

Family Cites Families (9)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2007050244A2 (fr) * 2005-10-27 2007-05-03 Georgia Tech Research Corporation Procede et systeme pour detecter et reagir a des attaques de reseaux
US8533819B2 (en) * 2006-09-29 2013-09-10 At&T Intellectual Property Ii, L.P. Method and apparatus for detecting compromised host computers
CN104580249B (zh) * 2015-01-28 2019-05-07 北京润通丰华科技有限公司 一种基于日志的僵木蠕网络分析方法和系统
CN105072214B (zh) * 2015-08-28 2018-10-09 携程计算机技术(上海)有限公司 基于域名特征的c&c域名识别方法
CN105897714B (zh) * 2016-04-11 2018-11-09 天津大学 基于dns流量特征的僵尸网络检测方法
CN106657001B (zh) * 2016-11-10 2019-12-13 广州赛讯信息技术有限公司 一种基于Netflow及DNS日志的僵尸网络检测方法
CN106549980B (zh) * 2016-12-30 2020-04-07 北京神州绿盟信息安全科技股份有限公司 一种恶意c&c服务器确定方法及装置
CN107196910B (zh) * 2017-04-18 2019-09-10 国网山东省电力公司电力科学研究院 基于大数据分析的威胁预警监测系统、方法及部署架构
CN107404473A (zh) * 2017-06-06 2017-11-28 西安电子科技大学 基于Mshield机器学习多模式Web应用防护方法

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101741862A (zh) * 2010-01-22 2010-06-16 西安交通大学 基于数据包序列特征的irc僵尸网络检测系统和检测方法
CN103152442A (zh) * 2013-01-31 2013-06-12 中国科学院计算机网络信息中心 一种僵尸网络域名的检测与处理方法及系统
WO2017223342A1 (fr) * 2016-06-22 2017-12-28 Ntt Innovation Institute, Inc. Procédé et système de détection de réseau zombie
CN106453412A (zh) * 2016-12-01 2017-02-22 绵阳灵先创科技有限公司 一种基于频次特征的恶意域名判定方法
CN108156174A (zh) * 2018-01-15 2018-06-12 深圳市联软科技股份有限公司 基于c&c域名分析的僵尸网络检测方法、装置、设备及介质

Cited By (18)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US11683337B2 (en) * 2020-06-11 2023-06-20 T-Mobile Usa, Inc. Harvesting fully qualified domain names from malicious data packets
CN114257565B (zh) * 2020-09-10 2023-09-05 中国移动通信集团广东有限公司 挖掘潜在威胁域名的方法、系统和服务器
CN114257565A (zh) * 2020-09-10 2022-03-29 中国移动通信集团广东有限公司 挖掘潜在威胁域名的方法、系统和服务器
CN114615003A (zh) * 2020-12-07 2022-06-10 中国移动通信有限公司研究院 命令和控制c&c域名的验证方法、装置及电子设备
CN112966713A (zh) * 2021-02-02 2021-06-15 杭州安恒信息技术股份有限公司 基于深度学习的dga域名检测方法、装置及计算机设备
CN112966713B (zh) * 2021-02-02 2024-03-19 杭州安恒信息技术股份有限公司 基于深度学习的dga域名检测方法、装置及计算机设备
CN115134095A (zh) * 2021-03-10 2022-09-30 中国电信股份有限公司 僵尸网络控制端检测方法及装置、存储介质、电子设备
CN113158660B (zh) * 2021-04-09 2023-03-21 深圳市联软科技股份有限公司 应用于渗透测试的子域名发现方法及系统
CN113158660A (zh) * 2021-04-09 2021-07-23 深圳市联软科技股份有限公司 应用于渗透测试的子域名发现方法及系统
CN113746952A (zh) * 2021-09-14 2021-12-03 京东科技信息技术有限公司 Dga域名检测方法、装置、电子设备及计算机存储介质
CN113746952B (zh) * 2021-09-14 2024-04-16 京东科技信息技术有限公司 Dga域名检测方法、装置、电子设备及计算机存储介质
CN114363062A (zh) * 2021-12-31 2022-04-15 深信服科技股份有限公司 一种域名检测方法、系统、设备及计算机可读存储介质
CN114866246A (zh) * 2022-04-12 2022-08-05 东莞职业技术学院 基于大数据的计算机网络安全入侵检测方法
CN114866246B (zh) * 2022-04-12 2023-07-04 东莞职业技术学院 基于大数据的计算机网络安全入侵检测方法
CN114826758A (zh) * 2022-05-11 2022-07-29 绿盟科技集团股份有限公司 一种针对域名解析系统dns的安全分析方法及装置
CN114826758B (zh) * 2022-05-11 2023-05-16 绿盟科技集团股份有限公司 一种针对域名解析系统dns的安全分析方法及装置
CN115333850A (zh) * 2022-08-26 2022-11-11 中国电信股份有限公司 域名检测方法、系统及相关设备
CN115333850B (zh) * 2022-08-26 2024-04-23 中国电信股份有限公司 域名检测方法、系统及相关设备

Also Published As

Publication number Publication date
CN108156174B (zh) 2020-03-27
CN108156174A (zh) 2018-06-12

Similar Documents

Publication Publication Date Title
WO2019136953A1 (fr) Procédé, dispositif, appareil et support de détection de réseau zombie fondée sur l'analyse de noms de domaine c&c
US11374897B2 (en) CandC domain name analysis-based botnet detection method, device, apparatus and medium
CN109951500B (zh) 网络攻击检测方法及装置
US10721244B2 (en) Traffic feature information extraction method, traffic feature information extraction device, and traffic feature information extraction program
CN106657001B (zh) 一种基于Netflow及DNS日志的僵尸网络检测方法
US8549645B2 (en) System and method for detection of denial of service attacks
CN107770132B (zh) 一种对算法生成域名进行检测的方法及装置
US10944784B2 (en) Identifying a potential DDOS attack using statistical analysis
US20180309772A1 (en) Method and device for automatically verifying security event
JP2019021294A (ja) DDoS攻撃判定システムおよび方法
Hu et al. BAYWATCH: robust beaconing detection to identify infected hosts in large-scale enterprise networks
WO2015047803A1 (fr) Détection de logiciels malveillants sur la base d'une analyse comportementale de vm et d'une classification d'apprentissage machine
CN107209834B (zh) 恶意通信模式提取装置及其系统和方法、记录介质
JP2013232716A (ja) 攻撃判定装置、攻撃判定方法及び攻撃判定プログラム
CN112437062B (zh) 一种icmp隧道的检测方法、装置、存储介质和电子设备
Nguyen et al. DGA botnet detection using collaborative filtering and density-based clustering
CN106911665B (zh) 一种识别恶意代码弱口令入侵行为的方法及系统
CN113938312B (zh) 一种暴力破解流量的检测方法及装置
US10721148B2 (en) System and method for botnet identification
CN114785567A (zh) 一种流量识别方法、装置、设备及介质
CN111885034B (zh) 物联网攻击事件追踪方法、装置和计算机设备
Niu et al. Using XGBoost to discover infected hosts based on HTTP traffic
Chiba et al. Botprofiler: Profiling variability of substrings in http requests to detect malware-infected hosts
CN117391214A (zh) 模型训练方法、装置及相关设备
Kheir et al. Peerviewer: Behavioral tracking and classification of P2P malware

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 18900319

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

32PN Ep: public notification in the ep bulletin as address of the adressee cannot be established

Free format text: NOTING OF LOSS OF RIGHTS PURSUANT TO RULE 112(1) EPC (EPO FORM 1205 DATED 12.03.2021.)

122 Ep: pct application non-entry in european phase

Ref document number: 18900319

Country of ref document: EP

Kind code of ref document: A1